EFA, APF call for greater access to personal information

Electronic Frontiers Australia (EFA) and the Australian Privacy Foundation (APF) have highlighted the need to strengthen the Privacy Act 1988 and make information held by a company available to end users.

EFA spokesperson, Stephen Collins, told Computerworld Australia that the current Privacy Act was "problematic" because in some cases, it was difficult for people to get hold of information about themselves.

“In light of some recent breaches of privacy that we have seen take place, the EFA would love to see some teeth with respect to penalties for those who breach privacy," he said.

"We would like to see the capacity for people to easily understand what any given data holder has on them. Consumers should also have the capacity to request that things are removed or changed if they want it.

"If you or I had a dataset that we knew someone was holding on us, we should be able to get that record and see what it contains.

"Privacy is about empowering individuals whose data is being collected."

Collins said the Australian Government's Privacy Awareness Week, which ends on Friday, was positive as it drew attention to the issue.

"It would be lovely if the organisers partnered with someone like Facebook, which so many Australians use," he said.

"If they were plugging it to Australian users and also saying 'here’s how to accurately change your privacy on Facebook’, that would help."

However, given what he described as Facebook's "fast and loose" method of changing its privacy policy, Collins doubted the social networking site would take part in such an initiative.

"I’m all for them as a business being able to collect whatever data we are prepared to give them but we need to know what that data is, how it’s used, where it’s used and have them remove bits of it on request," he said.

APF vice chair, David Vaile, agreed with Collins that while it was useful to have a privacy week, the Privacy Act had “some problems” including loop holes and lack of enforcement by the Privacy Commissioner.

"Companies who breach privacy rules should be publicly named and shamed," he said.

"For example, if some company did something wrong with people's data and wouldn’t cooperate, it would have to reveal that breach.

"The [Privacy] Commissioner would wander around with a big stick saying 'this has got to stop because these people are not playing the game'."

The $466.7 million project aims to increase online access to records with proposals, such as consumer information via Web portal (to be developed by Medibank Private), advanced care directives and connection with Medicare data.

"A lot of critics have said it is getting introduced without a proper public consultation about the privacy and information security regime around it," Collins said.

"We don’t have updated health privacy laws so it’s very disturbing that they are prepared to go ahead and introduce a national e-health record system.

"That is a bad sign of the government commitment to privacy because it is a sensitive area and will cover so much of the field."

According to Vaile, health privacy law reviews have not been included in the Privacy Act review.

In August last year, the ALRC launched the results of its review in a report titled, For Your Information: Australian Privacy Law and Practice, which recommended a rewrite of the nation's 20-year-old privacy laws to keep pace with the information age.

Vaile added that a "real present" for Australian users of online services would be to implement the core deferred parts of the Privacy Law review, such as mandatory disclosure breach notification.

"I would suggest they also need to tighten up data transfer principal," he said.

"This is a question about outsourcing data, and if you send data somewhere else, do you lose your obligation to look after it at that point?"

According to Vaile, many privacy advocates advise that companies should not do this.

"If you sent it to somewhere like the US and it gets trashed, you shouldn’t be able to sue them overseas," he said

"The proper response should be that if your data goes offshore, and the commercial value of it has gone offshore, the legal obligation should also track with it."

The Australian Government released a draft strategy paper in January 2011 into public and private Cloud adoption, including advice about hosting data offshore.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.